Our SOC Audit Journey and 5 Things We Learned Along the Way

In late 2014, LogicMonitor took on a massive project – a SOC 2 Type 1 audit of the LogicMonitor SaaS Platform.  As VP of Finance for LogicMonitor, I drive our legal affairs and strategic initiatives on many areas, including risk and compliance. As we began to engage larger and more sophisticated customers, I realized that we needed a vehicle to reinforce our commitment to security and availability, and give customers transparency into the policies and procedures behind the platform.  I sought the advice of Ernst & Young as they have a specialty practice in this area and are passionate about software infrastructure innovation.

Fast forward one year – we now have a SOC 2 Type 1 report to provide to our customers and prospects (under NDA, of course).  It was grueling, expensive and we certainly have more internal processes across all functions. However, it was immensely important not only to our future but also to the future of our customers.

In this journey, we evaluated our company operations at an extremely deep level and made important fundamental changes.  Our customers now have insight into how we’re deploying best practices and next gen approaches to running our software service and company.  This process will also reduce the time that I spend filling-out prospect IT security questionnaires, negotiating SLAs and discussing privacy with our prospects’ attorneys. 

Here are five things that we learned along the way:

1. The simplest way isn’t always the best way – Auditors tend to suggest the simplest solution to any identified gaps. But if you are growing rapidly, you need to take the time to implement the most thorough and automated solution that best fits your company’s needs.
2. There is wiggle room – The SOC 2 audit doesn’t dictate that you need to do things a certain way, it dictates that you need to comply with certain standards.  When it comes time to tweak or overhaul an internal process make sure that the changes you implement are feasible in the long-term.  
3. Always leave a trail – Make sure that there is evidence for internal processes across all functions (e.g. that you can prove that Bob is reviewing the security scan results every month) – not having this evidence will hold up the audit.
4. Documentation, documentation, documentation – Among other requirements, the audit will necessitate that all policies and procedures are well documented. The less of that documentation you have to rush through the week before the auditors come, the less likely you’ll run into a problem.
5. Do an internal walkthrough before the auditors come – Knowing where to find evidence and ensuring things are as documented will simplify (and shorten) the audit process.

This is just the beginning of the journey as we are working on our long-term security and compliance roadmap. I am excited to continue overseeing these processes from my finance seat, so please reach out to me if you would like to exchange ideas or experiences.  

Here is the full press release for more info.

Thanks to Sarah Terry and Jeff Behl for their contributions to this article.